[nycbug-talk] pfsense and tor

fastgoldfish at gmail.com fastgoldfish at gmail.com
Fri Jul 5 03:34:16 EDT 2013


I'm a big fan of starting small, so I agree with just getting
everything working. That's what you are working on. When you're done,
maybe I'll eventually be able to figure out how to do more
sophisticated things with it, and I can send you my settings. Once the
XML is prepared for the basics, it should be easier for me to find a
spot to stick some other configuration parameters, if I get that far.

Also, I know adrelanos is curious about where this goes, so if I
succeed in making some progress, I might be able to persuade him to
collaborate to put some polish on it so it will be suitable for use as
the gateway in his Whonix project. He has said there is already one
other person who is doing something similar with PF in OpenBSD.
Basically, everybody is endlessly reinventing the wheel. pfSense seems
to be the right tool for he job, and I'm wondering why I didn't think
of it earlier.

The last line of investigation I followed before landing at pfSense
was Gargoyle router firmware that supports the kind of failsafe Tor
functionality everybody wants. It turns out that only a few hardware
routers are able to run Gargoyle with Tor, and ALL of them are
discontinued. Demand for them is so high that unscrupulous people are
selling fake router versions to exploit all the people trying to buy
them. Obviously, there's a LOT of people trying to do this if it is
attracting merchants of with questionable offerings.

Last I heard, Buffalo CB-GK10B's were being sold as Buffalo
WZR-HP-G300NH. The CB-GK10B units do not work with Gargoyle firmware.
A lot of people are asking about this info on various sites, so maybe
they'll find it on Gmane after I post this.

How do we move this discussion over to the Tor list? Modern forum
software would have no problem with that....so I'm wondering, why do
people still use obsolete mailing lists? Back in the 2000's some
businesses would still insist that they can only receive image data
(like a scan of a driver's license) via expensive and obsolete FAX
machines (circa 1930's I think), instead of the more modern email.
Now, it's the email that's obsolete.

All the noise about that Snowden fellow is probably the catalyst that
will push email onto the path of extinction now that people realize
how ridiculously easy it is for unintended recipients to read your
mail. Normally it's the technically-sophisticated people that lead the
way with that, but this time it's different - it's us still using the
clunky obsolete technology while the rest of the world has left us
behind.

I think I'm subscribed to the Tor list now, so whatever happens next,
I don't know. SMF is BSD-licensed forum software, and it's fine stuff,
FYI :) Also, Nabble does a good job of "forum-izing" mailing lists,
and I use that when list admins have set it up to be available. You
still can't move discussions around with it, though.

On Thu, Jul 4, 2013 at 9:14 PM, George Rosamond
<george at ceetonetechnology.com> wrote:
> fastgoldfish at gmail.com:
>> I was referred to some more information about configuring
>> FreeBSD/pfSense for use with Tor, but most of it is over my head for
>> now:
>>
>> http://lists.freebsd.org/pipermail/freebsd-questions/2009-March/194405.html
>>
>> That was shared with me by idwer in Freenode's ##pfsense. It looks to
>> me that what is being described there is not merely a transparent
>> proxy, but instead actually a more thorough isolating proxy. The two
>> kinds are described here:
>>
>> https://trac.torproject.org/projects/tor/wiki/doc/TransparentProxy
>> https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/IsolatingProxy
>>
>> It looks like it's not so straightforward as I thought it would be.
>> Installing Tor on pfSense and setting up some trivial routing rules
>> isn't all there is to it, and it's a little out of my league for now.
>> When the proper pfSense package for Tor is available, the system
>> configuration prerequisites will already be handled. Then, maybe the
>> problem will be reduced to the simpler routing setup that I was
>> originally expecting.
>>
>> I hope this info helps.
>
>
> Thanks Fish.
>
> I can tell you that I have tabled it for the rest of the week, but have
> Tor running fine on pfSense as a pkg install.
>
> I think the initial goal is just to get pfSense running as a
> relay/bridge/whatever for now.  The idea is to bump the number of Tor nodes.
>
> And I mean, with the pfSense interface, add the pkg, click enable, and
> deal with a handful of settings.  Let's lower the bar of entry while
> providing real relay functionality.
>
> Performing transparent proxying is a further "phase II" in my opinion.
> That is a larger project for a variety of reasons, and not immediate in
> need for other reasons.
>
> First, just setup SOCKS on a Tor relay manually.. and configure clients
> to use it.
>
> Second, the problem with a number of "all-in-one" systems which attempt
> to integrate Tor proxying is they really try to do too much without
> scaling the functions.  Let's get the basics operational and 'out in the
> wild' in production before we try to satisfy every need.  I'd like to
> see a real user base for a pfSense Tor package that allows us to
> recognize any potential issues.
>
> BTW, it *may* be more appropriate to have these discussions on our
> Tor-BSD list (lists.nycbug.org).
>
> g
>
> _______________________________________________
> talk mailing list
> talk at lists.nycbug.org
> http://lists.nycbug.org/mailman/listinfo/talk



More information about the talk mailing list